Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 23b402863f1ccb7ad2accb63e70242eba4fe532a
https://github.com/WebKit/WebKit/commit/23b402863f1ccb7ad2accb63e70242eba4fe532a
Author: Chris Dumez <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeHost.mm
Log Message:
-----------
RemoteLayerTreeHost::updateLayerTree may dereference a null root node for
hosted transactions
https://bugs.webkit.org/show_bug.cgi?id=316750
Reviewed by Tim Horton.
RemoteLayerTreeHost::updateLayerTree looks up the transaction's root node with
nodeForID(transaction.rootLayerID()) and explicitly tolerates a null result,
logging it and continuing. It then unconditionally dereferences rootNode inside
the remoteContextHostedIdentifier() block to register the hosted layer and set
its hosting identifier.
rootLayerID() and remoteContextHostedIdentifier() are independent Markable
fields of the transaction, both controlled by the (untrusted) Web process and
serialized over the CommitLayerTree IPC with no cross-validation. A transaction
that has remoteContextHostedIdentifier() engaged but a rootLayerID() that does
not resolve to a created node therefore drives a null-pointer dereference in the
UI process, i.e. a Web-process-triggerable UI-process crash.
Fix this by only entering the hosted-identifier block when rootNode is non-null.
The missing root is already logged earlier, matching how the rest of the
function handles missing nodes (log and continue), and all other transaction
processing (changed layer properties, clones, destroyed layers, unreachable
backing stores) is left to run normally.
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeHost.mm:
(WebKit::RemoteLayerTreeHost::updateLayerTree):
Canonical link: https://commits.webkit.org/314958@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
